Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   Firewall for virtual machines (http://www.linux-archive.org/centos/294088-firewall-virtual-machines.html)

Ron Loftin 12-11-2009 09:03 PM

Firewall for virtual machines
 
On Fri, 2009-12-11 at 13:50 -0800, MHR wrote:
> I realize I'm not getting a lot of questions answered here lately, and
> I'm going to presume that this is for legitimate reasons (i.e., people
> don't know or are too busy to think about it), not because they seem
> stupid (if they do, please tell me, on the list or privately).
>
> I run Windows as a VMWare guest on top of my CentOS host, and I
> generally have not used a firewall on the guest. This is partly
> because I only run it rarely, and it seems like a waste when it's
> running on a host that has its own, pretty effective firewall, but
> today I began to wonder - would it be a bad idea (or a complete waste)
> to use a firewall, like ZoneAlarm, on my Windows guest OS?
>
> Opinions welcome.
>
Disclaimer: This is just my own opinion, on a good day maybe worth
$0.02 (US).

I'd say that my circumstances are pretty similar to yours in that I run
the Windoze VM occasionally for non-critical uses ( most of the time ).
My network is protected by a separate CentOS 5 box with Shorewall as a
front-end for iptables, and I feel as secure as anyone has a right to
while still having an active Internet connection. ;>

So far, my practice has been to just run with the Windoze firewall
enabled, and I do that mostly to keep the rest of that miserable excuse
for an OS from whining about no detectable firewall in place, rather
than in any expectation that it will actually prevent something bad from
happening. I also have Windoze 2000 VMs with no firewall, and as far as
I know nothing bad has slid onto my network.

The bottom line is that in a VM protected by a "real" firewall, I see no
particular need for another waste of system resources on an OS that
wastes too much already. ;>

> Thanks.
>
> mhr
> _______________________________________________

--
Ron Loftin reloftin@twcny.rr.com

"God, root, what is difference ?" Piter from UserFriendly

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Brian Mathis 12-11-2009 09:07 PM

Firewall for virtual machines
 
On Fri, Dec 11, 2009 at 4:50 PM, MHR <mhullrich@gmail.com> wrote:
> I realize I'm not getting a lot of questions answered here lately, and
> I'm going to presume that this is for legitimate reasons (i.e., people
> don't know or are too busy to think about it), not because they seem
> stupid (if they do, please tell me, on the list or privately).
>
> I run Windows as a VMWare guest on top of my CentOS host, and I
> generally have not used a firewall on the guest. *This is partly
> because I only run it rarely, and it seems like a waste when it's
> running on a host that has its own, pretty effective firewall, but
> today I began to wonder - would it be a bad idea (or a complete waste)
> to use a firewall, like ZoneAlarm, on my Windows guest OS?
>
> Opinions welcome.
>
> Thanks.
> mhr


This depends on how you have the guest network setup. If it's in
bridged mode, then the firewall on the host does nothing to protect
the guest. If you're running NAT mode, then that's sort of like a
(consumer) firewall already, so should be pretty safe.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

MHR 12-11-2009 09:47 PM

Firewall for virtual machines
 
On Fri, Dec 11, 2009 at 2:07 PM, Brian Mathis <brian.mathis@gmail.com> wrote:
>
>
> This depends on how you have the guest network setup. *If it's in
> bridged mode, then the firewall on the host does nothing to protect
> the guest. *If you're running NAT mode, then that's sort of like a
> (consumer) firewall already, so should be pretty safe.

Excellent point - I should have said: I run in NAT mode, mainly
because I can use SAMBA in NAT mode but I never could get the SAMBA
mounts from Win-guest to work with the CentOS host in bridged mode.
Probably just my own ineptitude with SAMBA, but in NAT it works fine
(with the exact same smb.conf...).

Many thanks.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Agile Aspect 12-11-2009 09:48 PM

Firewall for virtual machines
 
On Fri, Dec 11, 2009 at 1:50 PM, MHR <mhullrich@gmail.com> wrote:
> I realize I'm not getting a lot of questions answered here lately, and
> I'm going to presume that this is for legitimate reasons (i.e., people
> don't know or are too busy to think about it), not because they seem
> stupid (if they do, please tell me, on the list or privately).
>
> I run Windows as a VMWare guest on top of my CentOS host, and I
> generally have not used a firewall on the guest. *This is partly
> because I only run it rarely, and it seems like a waste when it's
> running on a host that has its own, pretty effective firewall, but
> today I began to wonder - would it be a bad idea (or a complete waste)
> to use a firewall, like ZoneAlarm, on my Windows guest OS?
>

In addition to running Microsoft's free firewall, I also run
Microsoft's antivirus/malware software which is also free.

This is on a dual boot netbook - and I typically only use Windows for
either for my MagicJack phone or debugging user issues.

--
Enjoy global warming while it lasts.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Kai Schaetzl 12-12-2009 11:31 AM

Firewall for virtual machines
 
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:

> would it be a bad idea (or a complete waste)
> to use a firewall, like ZoneAlarm, on my Windows guest OS?

Yes, using ZA is a bad idea. XP has its own firewall which is enabled by
default if you are patched up-to-date. Keep that on.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

MHR 12-12-2009 07:09 PM

Firewall for virtual machines
 
On Sat, Dec 12, 2009 at 4:31 AM, Kai Schaetzl <maillists@conactive.com> wrote:
> Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
>
> Yes, using ZA is a bad idea. XP has its own firewall which is enabled by
> default if you are patched up-to-date. Keep that on.
>

Now you've sparked my curiosity - how is the XP firewall any better than ZA?

Also, in regard to other answers I've seen on the list, since I'm
using NAT, isn't another firewall just a waste?

Thanks.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Kai Schaetzl 12-13-2009 02:31 PM

Firewall for virtual machines
 
Mhr wrote on Sat, 12 Dec 2009 12:09:17 -0800:

> Now you've sparked my curiosity - how is the XP firewall any better than ZA?

ZA is not just a firewall. Googling will tell you about the problems with it.

>
> Also, in regard to other answers I've seen on the list, since I'm
> using NAT, isn't another firewall just a waste?

A host firewall can still help against threats from within the network. Also,
the XP firewall takes little ressources.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

mark 12-13-2009 04:18 PM

Firewall for virtual machines
 
Kai Schaetzl wrote:
> Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
>
>> would it be a bad idea (or a complete waste)
>> to use a firewall, like ZoneAlarm, on my Windows guest OS?
>
> Yes, using ZA is a bad idea. XP has its own firewall which is enabled by
> default if you are patched up-to-date. Keep that on.

Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from
the fairly heavy duty folks I know who support WinDoze is that the std for
non-commercial is ZoneAlarm.

mark
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John R Pierce 12-13-2009 04:45 PM

Firewall for virtual machines
 
mark wrote:
> Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from
> the fairly heavy duty folks I know who support WinDoze is that the std for
> non-commercial is ZoneAlarm.
>

I'm not sure what WinDoze is, sounds like a new sleeping aid.

Pretty much everyone I know who commercially supports Microsoft Windows
users can't stand ZoneAlarm, its constant yammering about meaningless
things is just annoying, and end users either end up shutting it off, or
click the wrong button and then can't figure out why their programs
aren't working. As of XP SP2 and later, the integral Windows Firewall
works just fine. It blocks all inbound unsolicited traffic and it
doesn't interfere with the software already running on your computer.
Its fully configurable by group policies for domain managed sites.

But, this is -far- off topic for a CentOS list.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Joseph L. Casale" 12-13-2009 06:54 PM

Firewall for virtual machines
 
>Huh? I've *NEVER* heard great things about WinDoze firewall...

That's only because the interface for it is far too complicated for most people
to comprehend. Netsh and/or the registry.

Simply because what the gui reveals is little of the feature scope, most think it
doesn't do much. It's almost like iptables in capacity (almost I said) with some
additional functionality in that it can control access on a program by program basis.
Pretty "great" if you ask me:)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 10:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.